New problems with openemr

arnabnaha wrote on Monday, October 11, 2010:

Hi All…
I am facing some new problems with openemr…i installed the latest snapshot of the openemr 4.0. i am on WINDOWS VISTA.

Problem I

previously in openemr, whenever a document was uploaded from the patient summary screen - > documents ->Patient ID card, the image used to save in a distinct folder with unique patient iD number in the C:\Xampp\htdocs\openemr\documents folder. Now after the multi site support, it saves as a unique patient ID folder but directly in the C:   drive. How can i change that so that it saves in sites\default\documents folder?

Problem II

After uploading an image of the patient ID card, when i return back to the demographics summary, i see link “Click to view ID Card” but when i click it, a modal window opens up saying error 403, access forbidden. why is this so?

sunsetsystems wrote on Monday, October 11, 2010:

The upload seems OK under Linux here.  It sounds like something funny is going on when the value of $GLOBALS is set in sites/default/config.php.  You might do some debugging to find out what that value is.

The problem with viewing the image from patient demographics seems to be that someone put a default .htaccess file into the documents directory that forbids all access.  It appears something needs to be done about that.

Rod
www.sunsetsystems.com

tmccormi wrote on Monday, October 11, 2010:

I noticed the .htacess issue as well and meant to ask about that.  It either needs to be removed or documented as something requiring specific site side edits to make it work.
-Tony

arnabnaha wrote on Monday, October 11, 2010:

Thanks Rod and Tony…

the problem is solved…
i changed the value of $GLOBALS to “sites/default/documents/” and bingo….the unique patient number folder with the document uploaded saves right there.

For the second problem…i deleted the .htaccess file from the folder and the image shows right up there…

please commit these changes…if found useful…and thanks to both of you for highlighting those areas….

sunsetsystems wrote on Monday, October 11, 2010:

I think a nice solution would be to create a general-purpose PHP script to be used for displaying images.  So for example instead of linking to /openemr/sites/default/documents/123/something.pdf you might link to /openemr/viewdoc.php?doc=documents/123/something.pdf.  The script would check your permissions as appropriate for the given location and either dump the file’s contents to the page, or give you a message saying you don’t have permission to see it.

Rod
www.sunsetsystems.com

arnabnaha wrote on Monday, October 11, 2010:

hi rod

that will be great…i am not a developer, i know very few things regarding php codes…so its up for you guys to make a useful script for doctors like us…we are always grateful to you all for building such a great software…openemr rocks!!!

bradymiller wrote on Tuesday, October 12, 2010:

Rod, arnabnaha, and others,

Problem I
Sounds like multisite patch has broken windows openemr…

Problem II
This mechanism to securely show images/documents already exist; see how the patient picture and the advanced directives are displayed in the patient summary screen(so could simply incorporate this into the patient ID card). Should never utilize direct linking into the documents directory as the current patient ID card algorithm does, since it only works if user makes their site unsecure (ie. arnabnaha, now that you’ve removed the .htaccess file I could potentially look at and copy all of your patients documents without even logging into openemr…).

-brady

bradymiller wrote on Tuesday, October 12, 2010:

bit more stuff forgot to mention above. For Problem 1, has been added to bug tracker:
https://sourceforge.net/tracker/index.php?func=detail&aid=3084385&group_id=60081&atid=493001#
For problem II, rec putting a feature request for this item in the tracker.
-brady

sunsetsystems wrote on Tuesday, October 12, 2010:

I added a suggestion to that tracker item.  But I’d still like to know what was in $GLOBALS before the workaround was put in.

Rod
www.sunsetsystems.com

arnabnaha wrote on Tuesday, October 12, 2010:

in the current openemr 4.0 its like this by default:
$GLOBALS = $GLOBALS . “/documents/”;
$GLOBALS = “/usr/bin/file”;

in previous openemr without multi site feature it was like this:
$GLOBALS = “documents/”;
$GLOBALS = “/usr/bin/file”;

i changed it to:
$GLOBALS = “sites/default/documents/”;
$GLOBALS = “/usr/bin/file”;

and also removed the .htaccess file….

arnabnaha wrote on Tuesday, October 12, 2010:

Hi all…
I changed the .htaccess file a bit…
Allow from 127.0.X.X
Deny From All
Also incorporated the changes told my Rod in the bug tracker amd now its fine…
i included my localhost ip address in the .htaccess file and it works fine even without deleting the file…i guess this solves the problem…please comment…

sunsetsystems wrote on Tuesday, October 12, 2010:

I checked in my change from the bug tracker, thanks for testing that.

Re .htaccess, I think what you did was allow localhost to view the images.  Don’t see how that would fix it for other client machines.

Rod
www.sunsetsystems.com

arnabnaha wrote on Tuesday, October 12, 2010:

thanks Rod

for other client machines…i have added a second line Allow From X.X.X.X (Ip address of that machine). i have tested it on another machine which is connected via LAN in my system and it works great…

bradymiller wrote on Tuesday, October 12, 2010:

hey,
Regarding .htacess file, you are just opening up a security hole. Do following steps now:
1) Open your patient with id of ‘1’ and insert a document titled ‘record.pdf’
2) Logout of OpenEMR
3) Go to link ‘http://localhost/openemr/sites/default/documents/1/record.pdf’
So, you are able to browse your patient’s records without even logging in…

As I discussed above, the most appropriate fix for this is incorporating the already existent mechanism that displays the patient picture and advanced directives from the patient summary screen in a secure manner,

-brady